b'                                                              United States Department of State\n                                                              and the Broadcasting Board of Governors\n\n                                                              Office of Inspector General\n\n\n                                                                     SEP 1 9 2011\n\n\n\nMEMORANDUM\n\nTO:            RM/CFO - James L. Millette            a\n                                            /If/;/(\nFROM:          OIG - Harold W. Geisel /      [\'\'"\n\nSUBJECT:       Final Report on Audit Survey of Department ofState Approach To Developing an\n               Automated Time and Attendance System (AUD/IT-11-41)\n\nThe Office ofInspector General (OIG) initiated an audit of the Department of State\'s\n(Department) approach to developing an automated Time and Attendance (T&A) system. The\nobjective of the audit was to determine to what extent the Department has (1) considered relevant\nbusiness processes in developing the T &A system requirements, (2) coordinated with system\nusers to ensure needs are addressed, and (3) addressed applicable information security\nrequirements. (The scope and methodology are described in Attachment 1.)\n\nDuring the audit survey, OIG learned that the T&A phase of the Global Foreign Affairs\nCompensation System (GF ACS) project is still in the planning and development stages and that\nno system has been selected. In addition, implementation documentation relating to T &A\nproject management and systems has not been developed. As a result, OIG determined that it\nwas not prudent to proceed with the audit because implementation of the T &A system was not at\na state of development where performance of audit steps and procedures would deliver\nmeaningful results. However, the audit survey revealed three areas that require RM\'s attention:\n\n       \xe2\x80\xa2   Business Case\n\n           The GF ACS Exhibit 300 submission does not include a business case for the T&A\n           phase of the project, as required by the Foreign Affairs Manual! (F AM). Lack of a\n           clearly defined business case for the T&A phase will hinder the Department\'s ability\n           to effectively define measurable success criteria for the T &A phase of the project.\n           These criteria are essential for determining whether the project resulted in the benefits\n           defined in the business case.\n\n\n\n15 FAM 623, "Business Case."\n\n\n                                                 1\n                                        UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n\n         \xef\x82\xb7   Requirements Analysis\n\n             It was unclear whether a comprehensive requirements analysis had been performed to\n             identify and address customer or user needs and expectations. Conducting a\n             comprehensive requirements analysis at the beginning of the T&A phase of the\n             GFACS project is necessary to help ensure the commercial off-the-shelf (COTS)-\n             based T&A system selected will meet business, user, or interoperability requirements.\n\n         \xef\x82\xb7   \xc2\xa0Project Management\n\n             The GFACS project management plan does not include information on the T&A\n             phase of the project. The T&A phase of the implementation therefore lacks formal\n             planning documents, such as a communication management plan2 or a project scope\n             statement.3 Lack of an up-to-date project plan that reflects all the phases of the\n             GFACS implementation, including the T&A phase, could lead to a lack of clarity as\n             to what is to be accomplished, which could lead to project failure or cost and schedule\n             overruns.\n\nTo address these conditions, OIG sent a draft audit survey report to RM on August 1, 2011, in\nwhich it recommended that RM update the Exhibit 300 business case for the T&A phase of the\nproject, perform a detailed requirements analysis of the proposed T&A system, and update the\nGFACS project management plan to reflect the T&A phase of the project. By implementing\nthese recommendations, RM will be better able to ensure the successful integration of the T&A\nproject in the larger GFACS implementation project.\n\nIn its August 26, 2011, response (see Attachment 2), RM agreed with Recommendation 3 and\naddressed Recommendations 1 and 2. Based on RM\xe2\x80\x99s response, OIG considers the three\nrecommendations resolved. They can be closed pending OIG\xe2\x80\x99s review and acceptance of\ndocumentation showing that the actions recommended have been taken. RM\xe2\x80\x99s responses and\nOIG\xe2\x80\x99s replies are presented after each recommendation.\n\n                                                  Background\nThe Department processes T&A for employees at overseas posts and domestic bureaus using a\npartially manual process. The Department currently uses two separate T&A systems:\nWeb.TATEL, which is used domestically, and Win T&A, which is used at overseas posts.\n\n2\n  Project Management Institute, Project Management Body of Knowledge (A Guide) Fourth Edition. The\npublication states that a communication management plan describes \xe2\x80\x9ccommunication needs and expectations for the\nproject; how and in what format information will be communicated; when and where each communication will be\nmade; and who is responsible for providing each type of communication. The communication management plan is\ncontained in, or is a subsidiary plan of, the project management plan.\xe2\x80\x9d\n3\n  Project Management Body of Knowledge (A Guide). The publication states the project scope statement is \xe2\x80\x9cthe\nnarrative description of the project scope, including major deliverables, project assumptions, project constraints and\na description of work, that provides a documented basis for making future project decisions and for confirming or\ndeveloping a common understanding of project scope among the stakeholders.\xe2\x80\x9d\n\n\n\n                                                     2\n                                                UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\nAmerican employees working both domestically and overseas are responsible for manually\ntracking their T&A and providing this information to timekeepers for reporting. Based on\nlocation, timekeepers input information either into Web.TATEL or Win T&A applications to\nreport T&A to Global Financial Services in Charleston, SC. Supervisors in bureaus or posts\nmanually review and approve reports from Web.TATEL or Win T&A.\n\nRecording T&A for domestic employees is performed manually by employees, supervisors, and\ntimekeepers. Procedures used to track T&A vary by bureau. That is, some bureaus require\nemployees to submit biweekly timesheets and leave slips (Office of Personnel Management\n[OPM] Form 71, Request for Leave or Approved Absence) to a supervisor for approval, some\nbureaus do not require the use of timesheets, and still other bureaus use attendance logs (sign-in,\nsign-out logs) to track employee attendance. The process for tracking T&A for overseas\nemployees is similar to the processes performed domestically. Timekeepers at posts enter T&A\ndata into Win T&A on a biweekly basis.\n\nThe current T&A processes have inherent problems. For instance, OIG\xe2\x80\x99s June 2010 report4 on\nEmbassy Baghdad stated that internal controls for overtime at Embassy Baghdad were weak,\nwhich left Embassy Baghdad vulnerable to waste, fraud, and mismanagement. For example,\nemployees and supervisors did not always sign timesheets, and employees used different types of\ntimesheets that often lacked key information, such as lines for supervisor or employee signatures\nand dates of certification.\n\nThe June 2010 report was preceded by a July 2009 OIG inspection report5 on Embassy Baghdad,\nwhich noted weak internal controls relating to T&A. For instance, individuals were reporting\ndata directly to Global Financial Services6 with little, if any, supervisory approval or verification\nof time worked, thus leaving the process vulnerable to waste, abuse, and fraud.\n\nAdditionally, in a June 2006 inspection report on Global Financial Services,7 OIG noted that\nproper procedures on T&A were \xe2\x80\x9cnot always followed nor are adequate records maintained.\xe2\x80\x9d\n\nThe Department recognizes the need for reform in processing T&A. In that regard, RM is\nundertaking a project to replace the Department\xe2\x80\x99s current compensation systems with a COTS\nsystem. The proposed integrated system, GFACS, will replace and combine the functionalities\nof the three legacy applications: the Foreign Affairs Retiree Annuitant Distribution System, the\nForeign Service National System, and the Consolidated American Payroll System.\n\nAs a key part of this effort, RM is in the process of acquiring and implementing an automated\nCOTS-based T&A system. The proposed T&A system will interface with GFACS and is\nintended to replace and unify the functions of Web.TATEL and Win T&A. The system will also\nprovide employee self-service features, such as the ability for employees to enter T&A data\n\n4\n  Embassy Baghdad Internal Controls for Overtime Pay (AUD/CG-10-25, June 2010).\n5\n  Embassy Baghdad, Iraq (ISP-I-09-30A, July 2009).\n6\n  In other parts of the report, Global Financial Services is also referred to as Financial Service Center.\n7\n  Global Financial Services \xe2\x80\x93 Charleston (ISP-I-06-33, June 2006).\n\n\n\n                                                      3\n                                                 UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\nthemselves, thus eliminating the need for timekeepers to manually track and enter the data. OIG\nexpects a unified T&A system that integrates with GFACS to provide the Department a more\nefficient and cost-effective approach to manage the T&A function. Furthermore, a fully\nautomated T&A system will provide cost savings in many respects, including avoiding the costs\nassociated with T&A abuses and eliminating the need for a full-time timekeeper.\n\n                                           Results of Survey\nThe intent of this audit was to determine whether the Department\xe2\x80\x99s approach to implementing\nthe proposed automated T&A system will help assure management that the automated COTS\nbased T&A system will be effectively developed and implemented. However, during the audit\nsurvey, OIG found that the T&A phase of the GFACS project is still in the planning and\ndevelopment stages and that no system has been selected and that project management and\nsystems implementation documentation relating to T&A has not been developed. As a result, it\nwas not prudent to proceed with the audit. However, the audit survey revealed three potential\nareas that require RM\xe2\x80\x99s attention:\n\nThe GFACS Exhibit 300 Business Case Submission Lacks Adequate Information on the\nT&A Phase of the Project\nRM\xe2\x80\x99s GFACS Exhibit 300 submission does not include adequate information on the T&A phase\nof the project. Although the master cost and schedule8 contain budgeted amounts for the T&A\nphase, the GFACS Exhibit 300 business case excludes justification for implementing the T&A\nphase.\n\nThe Department\xe2\x80\x99s FAM9 stipulates that a business case must be provided as required in Office of\nManagement and Budget (OMB) Circular No. A-11,10 Exhibit 300, as part of the budget request\nprocess. This circular further states that OMB \xe2\x80\x9cuses the Exhibit 300 to make both quantitative\ndecisions about budgetary resources consistent with the Administration\xe2\x80\x99s program priorities and\nqualitative assessments about whether an agency\xe2\x80\x99s programming processes are consistent with\nOMB policy and guidance.\xe2\x80\x9d Additionally, the FAM11 states that the bureau is to ensure that\nbusiness cases \xe2\x80\x9cclearly justify the business need based on defined business requirements,\nidentification of the funds to be spent, and the timeframe for accomplishing mission critical\nresults.\xe2\x80\x9d The FAM further requires the business case to \xe2\x80\x9cbe aligned to the agency\xe2\x80\x99s mission\nstatements, goals, objectives, and performance plans.\xe2\x80\x9d Additionally, the FAM12 requires the\nbusiness case to\n\n        (1) Justify why the program or project is necessary;\n\n8\n  \xc2\xa0Exhibit 300 component \xe2\x80\x9cMaster Cost & Schedule: Comparison of Actual Work Completed and Actual Costs to\nCurrent Approved Baseline\xe2\x80\x9d as of April 14, 2011. This document contains a comparison of actual work completed\nand actual cost to current approved baseline.\n9\n   5 FAM 623a.\n10\n    OMB Circular No. A-11, \xe2\x80\x9cPreparation, Submission, and Execution of the Budget.\xe2\x80\x9d\n11\n    5 FAM 623d and c.\n12\n    5 FAM 623b.\n\n\n\n                                                 4\n                                            UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n          (2) Demonstrate how the program or project will add value in meeting the\n          Department\xe2\x80\x99s strategic and organizational goals and objectives; and\n          (3) Show how the program or project is the most cost-effective approach.\n\nAn RM official stated that the amount of information RM can enter into the various Exhibit 300\nsections, including the business case, is controlled by the Electronic Capital Planning and\nInvestment Control (eCPIC) system and therefore is outside the control of RM. However,\nwithout a clearly defined business case for the T&A system, the Department will be unable to\neffectively define measurable success criteria for the T&A phase of the project. These criteria\nare essential for determining whether the project resulted in the benefits defined in the business\ncase. In addition, by not providing sufficient information, OMB may not have the information it\nneeds to determine compliance with OMB policy and guidance. Further, complete\ndocumentation may determine the success or failure of the T&A phase, as complete\nunderstanding of the project is key to gaining the support of OMB to fund the project to\ncompletion.\n\n          Recommendation 1. OIG recommends that the Bureau of Resource Management (RM)\n          update the Global Foreign Affairs Compensation System (GFACS) Exhibit 300\n          documentation to reflect a detailed business case for the time and attendance (T&A)\n          phase of the project and that it consider, because of limitations in the amount of\n          information that can be entered into the business case section, documenting additional\n          business case details for the T&A phase of the project outside of the Electronic Capital\n          Planning and Investment Control system.\n\n          Bureau of Resource Management Response: RM stated that the GFACS team was\n          preparing the OMB Exhibit 300 business case submission for FY 2013 and that it would\n          be \xe2\x80\x9cupdated to provide additional detail . . . advocated in OMB memoranda M-10-26 and\n          M-10-31.\xe2\x80\x9d\n\n          OIG Reply: Based on the response, OIG considers the recommendation resolved. This\n          recommendation will be closed when OIG reviews and accepts documentation showing\n          that the OMB Exhibit 300 business case submission for FY 2013 has been updated with\n          the additional details OIG had recommended.\n\nEvidence Regarding Performance of Adequate Requirements Analysis Is Lacking\n\nThe Department did not provide evidence to support the performance of a comprehensive\nrequirements analysis needed to understand customer or user needs and expectations from the\nproposed COTS based T&A system.\n\nThe FAM13 requires that the users and/or customers participate in defining requirements through\ninterviews and providing reference materials to substantiate a requested replacement system.\n\n\n13\n     5 FAM 617.5, \xe2\x80\x9cUser And/Customer.\xe2\x80\x9d\n\n\n\n                                              5\n                                         UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\nFurthermore, the FAM14 requires project managers, before they begin any project, to complete a\n\xe2\x80\x9crequirements analysis\xe2\x80\x9d document that clearly defines and sets forth all the requirements\napproved by management for development, modification, or integration. An RM project official\nprovided a high-level functional requirements document on the current and future state of T&A15\nintended for market research with potential COTS vendors as evidence of requirements analyses\nperformed to date. However, functional requirements that describe a high-level functionality of\nthe proposed system are not a substitute for user-defined or business requirements.\n\nRM officials stated that they had identified two COTS products, namely Kronos WebTA16 and\nOracle Peoplesoft Time and Attendance,17 which are currently used in other Federal agencies and\nthat \xe2\x80\x9cas the result of performing due diligence,\xe2\x80\x9d they had conducted research into these two\nproducts to determine whether the products could \xe2\x80\x9cserve as the starting point for addressing the\nDepartment\xe2\x80\x99s needs with respect to [T&A ].\xe2\x80\x9d The officials further stated that the \xe2\x80\x9ccurrent and\nfuture state\xe2\x80\x9d requirements document was used to evaluate the products and that once the software\nacquisition was completed, RM would compile a \xe2\x80\x9ccomprehensive requirements list that will\nserve as the basis for conducting a \xe2\x80\x98fit/gap\xe2\x80\x99 analysis.\xe2\x80\x9d\n\nHowever, OIG maintains that the better approach would be to compile comprehensive\nrequirements and perform the \xe2\x80\x9cfit/gap\xe2\x80\x9d analysis prior to acquiring the software. In its response\nto OIG\xe2\x80\x99s draft Notices of Findings and Recommendations dated April 14, 2011, RM officials\nfurther stated that \xe2\x80\x9c[i]n recognition of the fact that vendors often choose not to make huge\ninvestments in response to Market Surveys,\xe2\x80\x9d RM had taken an approach that will not\n\xe2\x80\x9c[overwhelm] the vendor community with repetitive detail.\xe2\x80\x9d However, because T&A is a major\ninvestment, it is prudent for RM to work closely with prospective vendors to determine how their\nproducts\xe2\x80\x99 capabilities will address the Department\xe2\x80\x99s T&A needs without subjecting the\nDepartment to excessive and expensive business process changes and attendant system\ncustomizations.\n\nInadequate performance of effective requirements analysis at the beginning of the T&A phase of\nthe GFACS project could introduce many project risks, including a COTS based T&A\napplication that does not fully deliver the tasks for which it was purchased. These unmet\nrequirements could lead to user dissatisfaction with the new system, require additional scope\nchanges and additional time to implement, and result in potential cost overruns. Although,\naccording to RM officials, the T&A phase is currently not the focus of the overall GFACS\nproject, OIG noted that the eCPIC master cost and schedule contain budget amounts that were\nobtained from prospective vendor estimates. Without the correct and approved user or\nstakeholder requirements, cost estimates cannot be effectively determined and additional\namounts may be spent on customizations and integration, which may lead to cost overruns.\n\n14\n   5 FAM 621k, \xe2\x80\x9cGeneral.\xe2\x80\x9d\n15\n   Bureau of Resource Management, Time and Attendance (T&A) Current and Future State, dated May 2010.\n16\n   The Department of Homeland Security and the U. S. States Agency for International Development are examples\nof Federal agencies that currently use Kronos WebTA, one of the two systems identified by RM.\n17\n   The Departments of Agriculture and of Health and Human Services are examples of Federal agencies that\ncurrently use the Oracle Peoplesoft Time and Attendance System, one of the two systems identified by RM.\n\n\n\n\n                                                  6\n                                             UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n       Recommendation 2. OIG recommends that the Bureau of Resource Management (RM)\n       perform a detailed requirements analysis of the proposed time and attendance system to\n       ensure that user, business, and system integration needs are fully understood and agreed\n       to by all stakeholders before the new system is purchased and implemented. RM should\n       additionally ensure that budgeted amounts recorded are based on complete and approved\n       requirements.\n\n       Bureau of Resource Management Response: In its response, RM stated that the\n       Department \xe2\x80\x9chas chosen Peoplesoft to address its global compensation requirements and\n       has successfully migrated the Department\xe2\x80\x99s annuitant payroll from the legacy FARADS\n       system to GFACS.\xe2\x80\x9d RM also stated that it \xe2\x80\x9cconcluded that Peoplesoft integrated Time\n       and Labor software was the most appropriate foundation for addressing the Department\xe2\x80\x99s\n       T&A needs in a cost effective manner.\xe2\x80\x9d RM stated that its conclusion resulted from\n       \xe2\x80\x9cconducting a Market Survey\xe2\x80\x9d as well as vendor product demonstrations \xe2\x80\x9ctailored around\n       the Department\xe2\x80\x99s critical T&A business requirements.\xe2\x80\x9d According to RM, \xe2\x80\x9cThese\n       requirements will be finalized as appropriate to establish the foundation for conducting a\n       \xe2\x80\x98fit-gap\xe2\x80\x99 analysis\xe2\x80\x9d and this activity will be performed before \xe2\x80\x9cdevelopment and\n       deployment of a new T&A system\xe2\x80\x9d into the GFACS environment.\n\n       OIG Reply: OIG recognizes that a T&A system based on the same platform (Peoplesoft)\n       as GFACS provides many benefits, including easier integration with other GFACS\n       modules as well as efficiencies derived from using similar development tools to perform\n       needed customizations. Further, OIG commends RM for its plans to build on the\n       requirements used to previously guide the market survey and product demonstrations by\n       conducting a \xe2\x80\x9cfit-gap\xe2\x80\x9d analysis and ensuring that any user or business requirements gap is\n       identified and resolved prior to developing and deploying the T&A system.\n\n       Based on this response, OIG considers the recommendation resolved. This\n       recommendation will be closed when OIG reviews and accepts updated requirements\n       documentation showing that RM has identified and documented gaps between the\n       Department\xe2\x80\x99s requirements and the proposed system\xe2\x80\x99s capabilities before the T&A\n       system is deployed. Additionally, RM\xe2\x80\x99s documentation should demonstrate measures it\n       has taken or plans to take to address the identified gaps.\n\nT&A Project Is Not Adequately Accounted For in the Overall GFACS Project\nManagement Plan\n\nT&A implementation is one of the phases of the overall GFACS project. Although cost\nprojections have been recorded in the master cost and schedule, the GFACS project management\nplan has not been updated to include the T&A phase. Thus the T&A phase of the\nimplementation does not have evidence of formal planning documents, such as a communication\nmanagement plan or a project scope statement.\n\n\n\n\n                                            7\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\nThe FAM18 requires project managers to not begin a project without the documented approval of\na comprehensive project management plan, \xe2\x80\x9cwhich must be kept up to date by the project\nmanager throughout the project cycle.\xe2\x80\x9d The FAM19 further states that performance measures of\nIT projects must be defined within the project plan and that the performance measures must,\namong other requirements, clearly define the project\xe2\x80\x99s milestones and goals in terms that can be\nmeasured.\n\nRM officials have indicated that the T&A phase is currently not the focus of the GFACS project.\nHowever, given that the T&A phase has been initiated and budget amounts have been\ndetermined, the GFACS project management plan should appropriately reflect the T&A phase in\na manner similar to that in which the other key GFACS milestones are reflected. Not having an\nup-to-date project management plan that reflects all the phases of GFACS implementation,\nincluding the T&A phase, could lead to a lack of clarity as to what is to be accomplished and\nresult in project failure or cost and schedule overruns.\n\n          Recommendation 3. OIG recommends that the Global Foreign Affairs Compensation\n          System project management plan be updated to reflect the time and attendance phase of\n          the project.\n\n          Bureau of Resource Management Response: RM concurred with this recommendation,\n          stating that it will update the GFACS project management plan.\n\n          OIG Reply: Based on the response, OIG considers this recommendation resolved. The\n          recommendation will be closed after RM updates the GFACS project management plan\n          and OIG determines that the plan adequately reflects the T&A phase of the project.\n\nAs the action office for the recommendations specified, OIG requests that you provide\ninformation on actions taken or planned for the three recommendations within 30 days of the\ndate of this memorandum. Actions taken or planned are subject to followup and reporting in\naccordance with the compliance response information.\n\nOIG appreciates the cooperation and assistance provided by your staff during this audit survey.\nIf you have any questions, please contact Evelyn R. Klemstine, Assistant Inspector General for\nAudits, at (202) 663-0372 or by email at klemstinee@state.gov or Jerry Rainwaters, Division\nDirector, at (703) 284-1841 or by email at rainwatersj@state.gov.\n\nAttachments: As stated.\n\ncc: CIO \xe2\x80\x93 Susan Swart\n\n\n\n\n18\n     5 FAM 621j.\n19\n     5 FAM 624a(1).\n\n\n\n                                             8\n                                        UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n                                                                                              Attachment 1\n                                      Scope and Methodology\nThe Office of Inspector General (OIG) performed the audit survey for this report from February\nthrough April 2011 in accordance with generally accepted government auditing standards.\nThose standards require that OIG plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for the findings and conclusions based on the audit\nobjectives. OIG believes that the evidence obtained provides a reasonable basis for the findings\nand conclusions based on the audit objective. OIG discussed its findings and proposed\nrecommendations with Bureau of Resource Management (RM) officials on May 2, 2011.\n\nThe objective of the audit was to determine to what extent the Department has (1) considered\nrelevant business processes in developing the time and attendance (T&A) system requirements,\n(2) coordinated with system users to ensure needs are addressed, and (3) addressed applicable\ninformation security requirements.\n\nTo conduct the audit survey, OIG reviewed project documentation, including the Global Foreign\nAffairs Compensation System (GFACS) Exhibit 300 business case, the project management\nplan, schedule and cost data, and functional requirements, and discussed these documents with\nRM officials.\n\nOIG performed the audit survey based on criteria contained in National Institute of Standards\nand Technology (NIST) and Office of Management and Budget (OMB) publications and in the\nForeign Affairs Manual (FAM) and the Foreign Affairs Handbook (FAH). (See the section\n\xe2\x80\x9cCriteria\xe2\x80\x9d in this attachment.)\n\nBased on the audit survey, OIG determined that it was not prudent to proceed with the audit\nbecause implementation of the T&A system was not at a state of development where\nperformance of audit steps and procedures would deliver meaningful results.\n\nUse of Computer-Processed Data and Data Reliability\n\nTo assess the reliability of project schedule and cost data, OIG obtained online access to the\nElectronic Capital Planning and Investment Control (eCPIC)1 system and obtained copies of the\nGFACS Project Management Plan and the GFACS master cost and schedule. To verify the cost\namounts, OIG contacted the GFACS Project Management Office (PMO) point of contact to gain\nan understanding of the development of the amounts. OIG understood that amounts such as the\ncost variances were derived from Earned Value Management (EVM) calculations that were\ninherent in the eCPIC system. Using EVM formulas obtained from the PMO, OIG manually\ncomputed cost variances for a judgmentally selected sample of two GFACS milestones in order\nto confirm the accuracy of the calculated variances contained in the master cost and schedule.\n\n\n\n1\n  The eCPIC system is a Government-owned application designed to help Federal agencies manage and control their\ninitiatives, portfolios, and investment priorities.\n                                                  9\n                                             UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\nCriteria\n\nTo evaluate the adequacy of the T&A implementation approach against audit objectives, OIG\nused the following criteria:\n\n    \xef\x82\xb7   OMB Circular No. A 130, appendix III,2 and OMB Memoranda M-10-26 and M-10-31.3\n    \xef\x82\xb7   NIST Special Publications (SP) and Federal Information Processing Publications.\n    \xef\x82\xb7   Department policies and procedures (FAMs and FAHs).\n\nFurthermore, OMB Circular 130, appendix III, and NIST SP 800-53, revision 3,4 provide\nminimum and recommended security controls, respectively, for all Federal information and\ninformation systems. Additionally, NIST SP 800-645 emphasizes the importance of integrating\nessential information security considerations into the Systems Development Life Cycle.\n\nOMB memoranda M-10-26 and M-10-31 were issued in 2010 to Federal agencies requiring the\nagencies\xe2\x80\x99 immediate review of financial systems\xe2\x80\x99 information technology (IT) projects\nspecifically and more broadly a review of all IT projects. The intent of memorandum M-10-26\nwas to emphasize \xe2\x80\x9ca re-examination of these expensive and lengthy investments in financial\nmodernization solutions in favor of shorter-term, lower-cost, and easier-to-manage solutions.\xe2\x80\x9d\nThe memorandum further states, \xe2\x80\x9cBy dividing projects into smaller segments that deliver the\nmost critical functionality more quickly, Federal agencies will achieve greater functionality\nsooner, better align projects to their organizations capacity to manage change, and reduce risk\nand cost.\xe2\x80\x9d\n\nOMB Memorandum M-10-31, which was to identify high risk IT projects, states, \xe2\x80\x9cCIO Council\nagencies will be required to develop and put in place improvement plans for their highest-risk IT\nprojects.\xe2\x80\x9d\n\nThe FAM, 5 FAM 610,6 establishes guidance for developing and managing IT systems. For\nexample, section 617.5 of the FAM defines a user or customer as \xe2\x80\x9canyone who will use the\nsystem or end product being developed and/or accepts the end product(s) is a user or a\ncustomer.\xe2\x80\x9d The FAM further states, \xe2\x80\x9cThe user and/or customer specify that software\nrequirements are based on business needs by participating in interviews and providing reference\nmaterials to substantiate requested replacement system.\xe2\x80\x9d\n\nAdditionally, 5 FAM 626.17 requires systems implementation efforts to include a study period\nwithin which key activities should include, but not be limited to, the following:\n2\n  OMB Circular A-130, app. III, \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d\n3\n  OMB Memoranda M-10-26, Immediate Review of Financial Systems IT Projects, and M-10-31, Immediate Review\nof Information Technology Projects.\n4\n  NIST SP 800-53, rev. 3, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and Organizations.\xe2\x80\x9d\n5\n  NIST SP 800-64, rev. 2, \xe2\x80\x9cSecurity Considerations in the System Development Life Cycle.\xe2\x80\x9d\n6\n  5 FAM 610, \xe2\x80\x9cDeveloping and Managing Information Technology (IT) Systems.\xe2\x80\x9d\n7\n  5 FAM 626.1, \xe2\x80\x9cStudy Period.\xe2\x80\x9d\n\n\n\n                                                10\n                                           UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\n\nDefine business, user, and system requirements. Business requirements must be\nlinked to the project\xe2\x80\x99s mission and Bureau of Information Resource Management\n(IRM) goals. Business requirements should not be expressed in terms of\nsolutions, but statements of need for specific functions (e.g., output from the\nsystem). User requirements are expressed as attributes that describe the features\nand capabilities needed to fit the system with the work environment and business\nprocess.\n\n\n\n\n                                    11\n                               UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n                                                                                    Attachment 2\n\n\n                                                     United Slates Departme nt of State\n\n                                                     Chief Financial Officer\n\n                                                      Washingt.on, D. C. 20520\n\n                                                       AUG 26 Z011\n\nUNCLASSIFIED\n\nMEMORANDUM\n\nTO :         OIG - Harold W. Geisel\n\nFROM:        RM - James L.   Mille~\nSUBJECT: Draft Report on Audit Survey of Department of State Approach to\n         Developing an Automated Time and Attendance System\n\n\nThis is in response to your request for comments on the draft report entitled " Audit\nSurvey of Department of State Approacb to Developing an Automated Time and\nAttendance System".\n\nRM is pleased that tbe OIG acknowledges the need to replace tbe Department\'s\ntwo legacy Time and Attendance (T &A) systems and recognizes many of the\nbenefits associated with deploying software that will be fully integrated with\nGFACS.\n\nThe draft audit survey identifies "three potential areas tbat require RM\'s attention" .\nEach recommendation is discussed in turn .\n\n\n  Recommendation 1. OIG recommends that the Bureau of Resource\n  Management (RM) update the Global Foreign Affairs Compensation\n  System (GFACS) Exhibit 300 documentation to reflect a detailed\n  business case for the time and attendance (T&A) phase of the project and\n  tbat it consider, because of limitations in the amount of information that\n  can be entered into the business case section, documenting additional\n  business case details for the T &A phase of the project outside of the\n  Electronic Capital Planning and Investment Control (eCPIC) System.\n\n\n\n                                     Unclassified\n\n\n\n\n                                     12\n                                UNCLASSIFIED\n\x0c                            UNCLASSIFIED\n\n\n\n                                Unclassified\n                                     2\n\nThe GF ACS team is in the process of preparing the OMB Exhibit 300\nbusiness case submission for FY2013 . It will be updated to provide\nadditional detail such as business need, business benefit, project\ntimeframe, and alignment with the "shorter-term, lower-cost and easier-\nto- manage solutions" principles advocated in OMB memoranda M-I 0-\n26 andM-lO-31.\n\n\nRecommendation 2. OIG recommends that the Bureau of Resource\nManagement (RM) perform a detailed requirements analysis of the\nproposed time and attendance system to ensure that user, business, and\nsystem integration needs are fully understood and agreed to by all\nstakeholders before the new system is purchased and implemented. RM\nshould additionally ensure that budgeted amounts recorded are based on\ncomplete and approved requirements.\n\nAs the OIG is aware, the Deparrment has chosen PeopleSoft to address\nits global compensation requirements and has successfully migrated the\nDeparrment\'s Annuitant payroll from the legacy FARADS system to\nGFACS.\n\nMore recently, RM concluded that the PeopleSoft integrated Time and\nLabor software was the most appropriate foundation for addressing the\nDeparrment\' s T&A needs in a cost-effective manner. This determination\nwas the result of conducting a Market Survey that included COTS\nproduct demonstrations tailored around the Department\' s critical T&A\nbusiness requirements. These requirements will be finalized as\nappropriate to establish the foundation for conducting a "fit-gap"\nanalysis. This activity will be done prior to the development and\ndeployment of a new T&A system under GFACS.\n\n\nRecommendation 3. OIG recommends that the Global Foreign Affairs\nCompensation System project management plan be updated to reflect the\ntime and attendance phase of the project.\n\nRM concurs with this recommendation and will update the GFACS\nproject management plan .\n\n\n\n\n                                 13\n                            UNCLASSIFIED\n\x0c                            UNCLASSIFIED\n\n\n\n                               Unclassified\n                                    3\n\n\nWe thank you for the opportunity to comment on the Draft Report. While we\nbelieve this audit survey was premature, we are committed to improving the\nDepartment\'s T&A processes and systems in an efficient and cost-effective\nmanner.\n\n\n\n\n                                 14\n                            UNCLASSIFIED\n\x0c'